All methods and paths for this operation:
Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.
Whether to ignore if a wildcard indices expression resolves into no concrete indices. (This includes _all string or when no indices have been specified)
If true, returns partial results if there are shard failures. If false, returns an error with no partial results.
If true, sequence queries will return partial results in case of shard failures. If false, they will return no results at all. This flag has effect only if allow_partial_search_results is true.
Whether to expand wildcard expression to concrete indices that are open, closed or both.
Supported values include:
all: Match any data stream or index, including hidden ones.open: Match open, non-hidden indices. Also matches any non-hidden data stream.closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.none: Wildcard expressions are not accepted.Values are all, open, closed, hidden, or none.
Indicates whether network round-trips should be minimized as part of cross-cluster search requests execution
Period for which the search and its results are stored on the cluster.
If true, the search and its results are stored on the cluster.
Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
EQL query you wish to run.
Field containing the event classification, such as process, file, or network.
Field used to sort hits with the same timestamp in ascending order
Field containing event timestamp. Default "@timestamp"
Maximum number of events to search at a time for sequence queries.
Query, written in Query DSL, used to filter the events on which the EQL query runs.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results
Default value is true.
This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results.
Default value is false.
For basic queries, the maximum number of matching events to return. Defaults to 10
Supported values include:
tail: Return the most recent matches, similar to the Unix tail command.head: Return the earliest matches, similar to the Unix head command.Values are tail or head.
By default, the response of a sample query contains up to 10 samples, with one sample per unique set of join keys. Use the size
parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the
max_samples_per_key parameter. Pipes are not supported for sample queries.
Default value is 1.
GET /my-data-stream/_eql/search
{
"query": """
process where (process.name == "cmd.exe" and process.pid != 2013)
"""
}resp = client.eql.search(
index="my-data-stream",
query="\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n ",
)const response = await client.eql.search({
index: "my-data-stream",
query:
'\n process where (process.name == "cmd.exe" and process.pid != 2013)\n ',
});response = client.eql.search(
index: "my-data-stream",
body: {
"query": "\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n "
}
)$resp = $client->eql()->search([
"index" => "my-data-stream",
"body" => [
"query" => "\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n ",
],
]);curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"query":"\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n "}' "$ELASTICSEARCH_URL/my-data-stream/_eql/search"{
"query": """
process where (process.name == "cmd.exe" and process.pid != 2013)
"""
}{
"query": """
sequence by process.pid
[ file where file.name == "cmd.exe" and process.pid != 2013 ]
[ process where stringContains(process.executable, "regsvr32") ]
"""
}{
"is_partial": false,
"is_running": false,
"took": 6,
"timed_out": false,
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"sequences": [
{
"join_keys": [
2012
],
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "AtOJ4UjUBAAx3XR5kcCM",
"_source": {
"@timestamp": "2099-12-06T11:04:07.000Z",
"event": {
"category": "file",
"id": "dGCHwoeS",
"sequence": 2
},
"file": {
"accessed": "2099-12-07T11:07:08.000Z",
"name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe",
"type": "file",
"size": 16384
},
"process": {
"pid": 2012,
"name": "cmd.exe",
"executable": "C:\\Windows\\System32\\cmd.exe"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "OQmfCaduce8zoHT93o4H",
"_source": {
"@timestamp": "2099-12-07T11:07:09.000Z",
"event": {
"category": "process",
"id": "aR3NWVOs",
"sequence": 4
},
"process": {
"pid": 2012,
"name": "regsvr32.exe",
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
}
}
}
]
}
]
}
}